Friday, April 22, 2011

This is a question that becomes more frequent among product managers and CTOs that I speak to. And surprisingly this a topic on which there is very little information. Probably because it is a complex topic, that requires deep expertise. But you need to be aware that Deep Packet Inspection engines, like any systems, may be circumvented or blocked by malicious actions, or rendered inoperable by extreme traffic conditions.

The discipline of Deep Packet Inspection is not always an exact science. If you run the exact same traffic through 3 different brands of DPI equipment, you will get 3 different results. Why is this?

This result of a DPI analysis will depend on:

1)Deliberate actions to hide using the numerous opportunities given by non-standard, complex, decentralized network; for example people may use tunnels, or change the shape of their packets in order to by-pass a DPI system designed to handle only “normal” packet shapes. Some DPI systems may detect this behavior, some may not. Also, deliberate attacks on servers may alter the way a DPI engine performs even if the engine itself is not targeted; how would your DPI engine perform during a SYNFlood attack?

2)Accidental causes deriving from traffic conditions, configuration and bugs in network devices, mis-configured networks etc. For example a server configured in a “byte by byte mode”, would send the “GET” method used in the HTTP protocol in 3 different packets (one for G, one for E and one for T). But a traditional DPI engine would look for the “GET” pattern into a single packet, which means it is unable to detect the HTTP protocol. And this is just a very basic example of use case where basic DPI is ineffective. Here again, some DPI systems have been designed to cope with malformed traffic, some cannot.

The good news is that this not inevitable. Because reverse engineering protocols and applications means working in real-life traffic conditions, decoding both standard and malformed traffic, there is always a solution to accurately detect each networked event. But this requires considerable investment in building DPI software which is resilient, robust and reliable.

Many DPI engines not to pay sufficient attention to this topic, which could result potential performance and security issues. This is obviously a key concern for cyber security applications that could be weakened, but also for all applications that require accuracy and data quality such as charging or parental control.

Working on resiliency, robustness and reliability is an ongoing effort, and should be top of mind for Deep Packet Inspection developers and product managers.